Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 06:45
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
298KB
-
MD5
b7c137a18093f43fa0ac50865cc34f9c
-
SHA1
93727de39d92f6934d4ddee26728b207a212428e
-
SHA256
63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667
-
SHA512
40683347b6f3dd2f18d15d5bfaa64d98f6ca88d1497bac811483366c59e5c786914dd32445981f774666b20053390f18d5a01f278162ba85bf75866edf6c95d6
-
SSDEEP
3072:/UgGk8D2CKiH+U3XmE5kDOXkqVDE/zpUp+rqdyy76kgREiwUP7A6qVxWm5iT/Hrq:Ret/X/GDwpELm04B710Ej2qVA8i
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gcsnkknd\ImagePath = "C:\\Windows\\SysWOW64\\gcsnkknd\\ilibsuoe.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
ilibsuoe.exepid process 4392 ilibsuoe.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ilibsuoe.exedescription pid process target process PID 4392 set thread context of 868 4392 ilibsuoe.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1068 sc.exe 5108 sc.exe 3332 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2572 116 WerFault.exe file.exe 4640 4392 WerFault.exe ilibsuoe.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 7cbcb73da35a460124edb47d450dd49d084297dce82e72baa4975afd8420081dd72d89ca85cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da874d713ce5aa644490bdb37821ef915400c4f48d3c74bbc4103d29fea26f1cde8c44763cd4f10b4c90d8f6127db9a4593494b48d662fd69a430f32fea05d579fc2223064b9f8641cc688b67d22e5965b3491abee3571bbd91d5061cda56811da874d713fe1a864c9d4ce84ea830ff86d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d643ff9882a0814dda46d3731d68e541de4ac4c0d2afba27313d89a4f7139d49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad963c04cd svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exeilibsuoe.exedescription pid process target process PID 116 wrote to memory of 4380 116 file.exe cmd.exe PID 116 wrote to memory of 4380 116 file.exe cmd.exe PID 116 wrote to memory of 4380 116 file.exe cmd.exe PID 116 wrote to memory of 2184 116 file.exe cmd.exe PID 116 wrote to memory of 2184 116 file.exe cmd.exe PID 116 wrote to memory of 2184 116 file.exe cmd.exe PID 116 wrote to memory of 1068 116 file.exe sc.exe PID 116 wrote to memory of 1068 116 file.exe sc.exe PID 116 wrote to memory of 1068 116 file.exe sc.exe PID 116 wrote to memory of 5108 116 file.exe sc.exe PID 116 wrote to memory of 5108 116 file.exe sc.exe PID 116 wrote to memory of 5108 116 file.exe sc.exe PID 116 wrote to memory of 3332 116 file.exe sc.exe PID 116 wrote to memory of 3332 116 file.exe sc.exe PID 116 wrote to memory of 3332 116 file.exe sc.exe PID 116 wrote to memory of 1828 116 file.exe netsh.exe PID 116 wrote to memory of 1828 116 file.exe netsh.exe PID 116 wrote to memory of 1828 116 file.exe netsh.exe PID 4392 wrote to memory of 868 4392 ilibsuoe.exe svchost.exe PID 4392 wrote to memory of 868 4392 ilibsuoe.exe svchost.exe PID 4392 wrote to memory of 868 4392 ilibsuoe.exe svchost.exe PID 4392 wrote to memory of 868 4392 ilibsuoe.exe svchost.exe PID 4392 wrote to memory of 868 4392 ilibsuoe.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gcsnkknd\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ilibsuoe.exe" C:\Windows\SysWOW64\gcsnkknd\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gcsnkknd binPath= "C:\Windows\SysWOW64\gcsnkknd\ilibsuoe.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gcsnkknd "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gcsnkknd2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\gcsnkknd\ilibsuoe.exeC:\Windows\SysWOW64\gcsnkknd\ilibsuoe.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 116 -ip 1161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4392 -ip 43921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ilibsuoe.exeFilesize
14.8MB
MD56ad342b21088f369347c00188d59d3a5
SHA1466352fc1bb2538f18e424e682a1fdeecbc79043
SHA2565e5fa24125a1421adbbad143ae5a80ebd5683cec2232f51877afdf29c4d1ebc7
SHA512da0ed0e83e734c133c9803dfb27ccae288bc73fdc7ba0b67e6eda53d46e2261d966dd6fa60a2c469d850fade79e2c1d6d8f7927723148c2ecce30b59653d0bf7
-
C:\Windows\SysWOW64\gcsnkknd\ilibsuoe.exeFilesize
14.8MB
MD56ad342b21088f369347c00188d59d3a5
SHA1466352fc1bb2538f18e424e682a1fdeecbc79043
SHA2565e5fa24125a1421adbbad143ae5a80ebd5683cec2232f51877afdf29c4d1ebc7
SHA512da0ed0e83e734c133c9803dfb27ccae288bc73fdc7ba0b67e6eda53d46e2261d966dd6fa60a2c469d850fade79e2c1d6d8f7927723148c2ecce30b59653d0bf7
-
memory/116-134-0x0000000000860000-0x0000000000873000-memory.dmpFilesize
76KB
-
memory/116-144-0x0000000000400000-0x00000000006C8000-memory.dmpFilesize
2.8MB
-
memory/868-139-0x0000000000720000-0x0000000000735000-memory.dmpFilesize
84KB
-
memory/868-143-0x0000000000720000-0x0000000000735000-memory.dmpFilesize
84KB
-
memory/868-146-0x0000000000720000-0x0000000000735000-memory.dmpFilesize
84KB
-
memory/868-147-0x0000000000720000-0x0000000000735000-memory.dmpFilesize
84KB
-
memory/868-148-0x0000000000720000-0x0000000000735000-memory.dmpFilesize
84KB
-
memory/4392-142-0x0000000000800000-0x0000000000813000-memory.dmpFilesize
76KB
-
memory/4392-145-0x0000000000400000-0x00000000006C8000-memory.dmpFilesize
2.8MB